Ghostery sneaks in new promotional messaging system

Ghostery is a rather controversial privacy add-on for various web browsers including Firefox and Google Chrome.

The extension has been designed to improve online privacy by blocking trackers. Apart from that, it also informs you about trackers used on sites if you want it to, or, if you prefer that, it will block these automatically without notifying you about occurrences.

Ghostery ships with lists that you can subscribe to which block certain types of trackers, for instance advertising, privacy or widgets.

While it may not block ads on the web, it reduces tracking by blocking certain kinds of trackers on sites you visit.

The most recent update to Ghostery 5.4.6 for Chrome, Safari, Opera and Firefox introduces two new options to the browser extension that add to the controversial nature of Ghostery.

The first introduces a messaging tool, Ghostery calls it Consumer Messaging Platform, which allows the company to message users directly in the web browser.

According to Ghostery, it will be used for product announcements and promotions. What makes this problematic is that it is enabled by default.

If you have updated to the new Ghostery version already you are automatically opted-in, and if you install Ghostery anew in a browser, you are opted-in as well.

To disable this feature, do the following:

Open the Ghostery options in the browser you are using. In Chrome, you right-click on the icon and select options, in Firefox you open about:addons and click on options next to the Ghostery entry there.

Switch to the Advanced tab on the options page and uncheck "Allow Ghostery to show messages in my browser related to product features, updates, and promotions".

Make sure you click save at the bottom of the screen as the modification won't stick otherwise.

The second new feature is a survey that is automatically opened when Ghostery is installed. Existing users find a survey link at the top of the options page.

This survey asks for personal information such as employment status, location, age or gender.

Closing Words

Ghostery does not seem to have used the feature yet to notify users but it is probably only a matter of time until the first message is sent out to users who have the extension installed.

The main issue here is that this feature is opt-out meaning it is enabled for all users of the extension. Since users are not informed about this when they run the extension, the only way they can find out about the new feature is by stumbling upon it in the options, reading the blog post on the Ghostery website, or reading about it on third-party websites.

Now You: Are you using Ghostery to block trackers on the web?

Summary

Article Name

Ghostery sneaks in new promotional messaging system

Description

The most recent update of the privacy extension Ghostery added a promotional messaging system that is enabled by default.

Author

Martin Brinkmann

Advertisement

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

About Martin Brinkmann

Martin Brinkmann is a journalist from Germany who founded Ghacks Technology News Back in 2005. He is passionate about all things tech and knows the Internet and computers like the back of his hand.You can follow Martin on Facebook, Twitter or Google+

Okay, had enough of so-called privacy enhancing tools produced by I unknown entities whom I choose to take a punt on trusting but whom turn out to be nefarious.

Martin could you do a comparison of Ghostery’s features versus that of the EFF’s Privacy Badger? I suspect they’re quite similar yet Privacy Badger had the backing of a legit organization, the EFF, and is thus less likely to change policy towards dubious practices down the track.

I suspect there’s minimal difference between the tools so we can all go get the Badger and consign Ghostery to the history books.

Trusting? Firefox extensions extensions are javascript; usually the code is easily human-readable. Easily, as in, even if you’re not a “programmer”, you should be able to glean the flow of functions within the scripts and, from (usually) heuristicaly-named objects / functions / variables, glean an understanding of how and why. If you download (right-click and SaveAs) an extension file rather than installing it, by renaming .xpi to .zip and extracting its contents, you can view (and/or edit) the extension’s .js script file using a text editor. So, stop trusting (and bitching about “…nefarious”, and “suspect”ing, and begging “MOAR features comparison”) and excercise some personal responsibility.

The three biggest differences for me between Privacy Badger and Ghostery: 1) Privacy Badger is put out by an reputable organization known for defending consumer privacy, while Ghostery is developed by a for-profit company that benefits from tracking your blocking preferences. (This actually doesn’t bother me too much, since all of those tracking features are able to be disabled.) 2) Rather than using a pre-compiled block list like Ghostery and Disconnect and UBlock, Privacy Badger uses no such list. Instead it detects tracking behavior on its own as it encounters new cookies. This means that a new install of Privacy Badger will block very little at first, but learn more continually and be more effective as you continue to browse more sites. This also means that it can theoretically block brand new trackers as soon as soon as you encounter them, whereas Ghostery will need to wait for Evidon to release an update to their block list. 3) By default, Privacy Badger only blocks cookies that it determines to be tracking you. If a cookie belongs to an banner ad that respects the ‘Do Not Track’ header, then it is permitted. The theory behind this is to not penalize advertising companies who play nicely with user preferences, only those who ignore them and track maliciously.

I also have never heard of any Privacy Badger controversy, and I read at least 10 tech sites a day, a couple of which are focused on security and privacy.

Privacy Badger is developed by the EFF, which is a highly regarded non-profit whose focus is user rights, privacy and security. I would be highly surprised if they were found to be trying something sneaky.

Oh, maybe you wanna allow SOME 3p cookies? By connecting to the 3P servers (sending headers, including DontNotTrack header) and TRUSTING, until/unless privacy badger “recognizes” misbehavior and decides to block… seems analagous to sticking your arm into a wood chipper because you TRUST that SOME wood chippers recognize and “respect” human limbs.

“developed by the EFF, which is a highly regarded”… highly regarded by “parrots” who like to tick checkboxes in order to feel safe. Those parrots, including many bloggers/reviewers, serve as fervent brand advocates ~~ they relish telling all the peeps who will listen about how smart and safe they are.

I use Ublock Origin and up to 2weeks ago PrivacyBadger but it breaks two sites now I use frequently. I also use RequestPolicy Continued. Are they all the same????. Yeah it would be an excellent idea if you could please do an article about these privacy extensions.

While it’s non uncommon to run several together, they could interfere with each other – but without complaining, so they all seem to work. I know back in the day, when I first used RequestPolicy, that stopped a lot of stuff even showing up in Ghostery (and in NoScript) – same with uBlock Origin. This XSS blocking means the JS never even lands so other “per page” extensions don;t even register.

I would recommend you ditch the (IMO, utterly horrible UI) RequestPolicy Continued, as well as Privacy Badger – uBlock Origin can handle all of this. Set to a default of block all 3rd party (three items – 3rd party, 3rs party scripts, 3rd party frames – left column – solid dark red), and then allow on a per site basis (using the right column). After allowing a 3rd party on a per site basis you can then decide to allow via NoScript. I installed badger once, it caught absolutely nothing – IMO its redundant if you’re using uBlock Origin – same with Ghostery (which I ditched years ago), same with RequestPolicy (Continued as well), same with ewww Disconnect.

Very helpful Pants for the explanation. It breaks rarbg &kat. Like I said I disabled PB for now. I favor PB though. I like what EFF is doing and I also like that PB learns while you click away. Anyway I will consider dumping RequestPolicy Continued although Martin gave a good write up on that one.

PS I also use No Script. PSS I haven’t touched Ublock and just let it do its stuff by default. is that right or should I look under the hood?.

Funnily enough I played with the sliders for the first time last night( should have done that earlier) and I discovered the same. Thanks though for your answer and service. You are a star and a great asset to this site.

Valuable article. This new opt-out Ghostery extravagance seems so questionable, so easy to disable accordingly and yet the company includes it. This is relevant of the number of users who will run the new version blindly, unfortunately, and perhaps as well the high ratio to users who will disable this crappy setting.

I had tried Ghostery like many if not all privacy/security add-ons (we’re referring to the browser, system-wide is another topic) and removed it at the time for Disconnect together with Adblock Plus … seems so far away, so naive when compared to the all-in-one ‘uBlock Origin’ top-notch add-on, applauded and recommended by Steve Gibson* himself.

A few years ago there was some controversy regarding ‘Ghostery’. Not sure if I remember correctly but I think it had something to do with ‘Ghostery’ itself tracking users, and/or allowing certain domains which are typically blocked. For that reason I have avoided installing it. Recently I was contemplating if I should revisit ‘Ghostery’ and reconsider my decision to not use it. Reconsidered. Not using it.

uBlock Origin (with some additional filters) and NoScript do the trick and make the web usable. Of course I try to not block Martins’ ad’s!

Something like that, Ghostery has been suspicious for a long time and there were some debates, even one of the Disconnect guys came to clear things up, but no one from Ghostery. On Firefox it’s Disconnect, NoScript, Canvas Blocker and BluHell, and on Opera I have Disconnect, uBlock Origin and Privacy Plus. Seems to do the trick for me. Might try Privacy Badger some day.

The company behind Ghostery, Evidon (once called Better Advertising), has been selling the collected data of its users for years and they don’t even make a secret of it. Their justification: advertisers don’t want to target users who opted out from ads, so this data helps in their target research.

After the acceptable ads debacle – and to me it really was a debacle, because paying the company to land on its whitelist doesn’t make their ad delivery channel any safer than others – neither Ghostery nor AdBlock Plus remained on my list of most important extensions. I’m very thankful that there are people like gorhill out there, who singlehandedly create a new generation of content blockers under an open source license.

Hiding is old fashioned. The right strategy is to say, show everything (with moderation : never forget the masses that take it as it comes, no point for a company in being masochist by yelling it all to the poor fellow minding his own business). Problem is, it’s not because you don’t hide anything that it means there’s nothing to hide : showing can be that darn smart communication strategy aiming that as many users as possible will run on that equation : transparency => honesty. Not always. Reciprocally I’ve noted that sometimes honesty without transparency, yes sir!

You’d be surprised the depths of psychology called when elaborating communication strategies … to the point of an evil’s wisdom.

I didn’t mention the exact page on Wilder Security, though I have it. I didn’t want to focus on the site since I was only quoting a simple user’s reference to the video and audio. Should anyone care for the exact url to the site’s page just let me know. I’m already slightly off-topic when elaborating on another blocker than the one here mentioned (I’m very often off-topic but where are boundaries when life is a trans-disciplinary continuum? … there we go again!)

I had a look on uBlock Origin and it sounds interesting, but as I’m using HostsMan (abelhadigital.com) to block sites via hosts file and it seems to use the same host lists as uBlock Origin, I think I will continue to use Privacy Badger and Ghostery for cookies for the time being.

It would be really nice though, as mentioned by “Pd” and “wybo”, to get a comprehensive comparison of the different methods / tools used.

I use HostsMan as well, what a brilliant application as it allows and manages so well multiple sources. But dealing with HOSTS file(s) is only one of the three basic functions of uBlock Origin.

uBlock figures as well in – the category of a 3rd parties-type applications blocker such as RequestPolicy or Policeman ; – the category of a HOSTS file integrator ; – the category of an adblocker (terminology refused by gorhill, the developer, “uBlock Origin is not an “ad blocker”, it is a wide-spectrum blocker, which happens to be able to function as a mere “ad blocker”.

Moreover it is possible to manage scripts (1st-party, 3rd-party, even inline scripts) ! It just has it all. And with it all it runs faster and consumes less CPU than competitors which don’t have it all.

My first advice concerning cookies is to disable 3rd-party cookies directly in the browser settings. If this had been done in the above benchmark, the 3rd-party cookie count for anyone blocker would have been zero — even without using a blocker.

We appreciate all the feedback. The CMP was designed so that we had a way to communicate with our users since we don’t ask for email addresses. We aren’t serving ads, we are just providing a way to tell you about new features or product related updates. The CMP was detailed in the release notes and we provided instructions on how to turn it off if you would rather not receive the alerts.

Just as an update.. The link in the version update points to our old blog and will be updated in the next release. The current version number is 5.4.8. This feature you are referring to was released back in July. Current notes can be found here: http://mygho.st/zn

I found Privacy Badger to work the best and show in the counter 24 or more “blocks” whereas other “blockers” were showing 5-10. The problem I found with PB is that it “breaks” a lot of sites–the sites simply don’t work with the program installed which means I need to turn it off. CNET is a good example; Lifehacker really goes bonkers with PB on. PB reduced “spam” level from maybe 20 to 5 within two days of use. If I enable it again on those “trouble” sites, back to the high spam count. Must be big money in clicking.

“The most recent update to Ghostery 5.4.6 for Chrome, Safari, Opera and Firefox”

Hmm. I have Firefox 40.0.3, and my Ghostery is 5.4.8, not 5.4.6, and also that option was not checked by default, at least not for me, and I’ve never seen it or unchecked it.

I’ve seen people here saying Ublock Origin was the way to go, and I use that as well, but I thought Ghostery did something different than Ublock. I thought Ublock’s job was ad-blocking (as in an alternative to AdBlock Plus), and that Ghostery performed other functions.

Does anyone know which of these popular privacy add-ons are redundant to each other.

uBlock Origin does it all, in this way that any other blocker will be redundant considering uBlock is configured correctly (‘advanced user’ option) and that the filters are wisely chosen (if uBlock has no filters and Adblock Plus has many and the right ones beware of comparisons). There is no point in adding fat to muscles.

Adblock & Ublock do the same thing : NO (read the comments on this very page) – uBlock does MORE, much more. Ghostery & Disconnect do the same thing : More or less but Disconnect is editable (dynamic and not fixed) Privacy Badger does its own thing : it’s still not highly performant. HTTPS Everywhere does its own thing : and its own thing is not universally considered as good. Better IMO to choose a per-site HTTPS switcher such as, for Firefox, the ‘Enforce Encryption’ add-on.

now I unistalled ABP too. I see that in uBlock there is the possibility to choose Disconnect lists. No more reason to have Disconnect installed? However, after 2 hours of surfing with UBlock, it does his job very well. Maybe there’s to improve like NoScript or Ghostery the part of reload page\alternative icons with blocked elements.

Everyone has his own limits to understanding and most often those limits are beyond what we conceive them to be, but they exist. I believe i.e. that uBlock is my limit when uMatrix (another concept yet close to uBlock) seems too tough for me at the time (yet I could be mistaking and, should I be obliged to use it maybe would I find the required resources : what is laziness and what is brains limit?). Consequently some users may prefer a minimum effort add-on even if they could manage a tougher one– or not. It’s up to everyone I guess but one thing is sure : more you wish to have exactly what you aim for more you’ll have to commit yourself.

Thanks for the links. Well, seems that differences in comparison with Ghostery and Disconnect are mainly related social site and Google:https://github.com/gorhill/uBlock/wiki/uBlock-and-others:-Blocking-ads,-trackers,-malwares The author suggest some rules with Dynamic filtering, however Ghostery or Disconnect improve a little the blocking protection in addiction of uBlock. So the moment I’ll use Disconnect too (and sincerely I prefer Ghostery over Disconnect because I can configure more settings, but after this topic…). I’ve also tried in last hour uMatrix (not bad, powerfull) but are enough NoScript + Cookie Controller and Request Policy. Old configuration: Noscript+ABP+Ghostery New configuration: Noscript+uBlock+Disconnect

PS: if uBlock ‘Prevent WebRTC’ is enabled, there’s a little annoying message of Preferred Monitor Add-on when Firefox starts and at the moment seems that ublock0:^media.peerconnection\ in ‘Ignore by add-ons’ or ‘Ignore Change On’ doesn’t solve.

According to https://www.ghostery.com/en/articles/updates-to-our-ghostery-browser-extension-privacy-statement/, the CMP “evaluates your IP address, browser, operating system, and Ghostrank status” but says that “we do not retain or store your IP address, nor do we share any of this information with third parties.” Does Evidon store the info about browser and OS? IP address is the big one for me, so it is good that they don’t retain that. Ghostery does block ads and speeds up the loading of webpages by quite a bit.

No company can be trusted to protect user privacy. In the end, they all sell their users out. Look at the recent changes with microsoft and AVG. Best alternatives are the open source uBlock origin and EFF’s Privacy Badger.

Just to add to my original complaint: Why would anyone want to pause blocking, instead of just whitelisting a site?

Sometimes, sites transfer you elsewhere. For instance, you’re buying from a small merchant online, and then are transferred to some sort of Verified By Visa (for example) payment system. Tracker blockers totally mess this kind of thing up, and white-listing the initial site won’t automatically clear the second one!

So the only thing you can do is dig through your Extensions settings and manually disable the whole thing until you’re done shopping. It’s a bit of a nightmare.

You have right, In addiction Disconnect has a another two things that I don’t like: a too big counter that cover nearly all the add-on icon and it doesn’t block to default ‘Contents’ (maybe this is good for others). If you want disable uBlock:https://github.com/gorhill/uBlock/wiki/Dynamic-filtering:-turn-off-uBlock-everywhere Is not so immediately like ABP but nobody is perfect. I think that more powerfull becomes an add-on it must ensure to users more usability (like NoScript). Hovewer Ghostery after see that new option checked for me is dead (its a pity). Hope that Disconnect doesn’t send info too.

see Tom Hawack’s link above in the comments for the wiki on how to use uBlock Origin

It’s actually quite simple – the left column is GLOBAL settings, the right column is on a per site basis (and then there’s the padlock and eraser icons to save changes, a big pause icon, and icons per site for fonts etc) – but read the wiki .. it has pictures :)

About gHacks

Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.